MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03ff8ba48d53dfb76d0218df8762010303fd6c49524eab335cb2ecb90bfaf693. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03ff8ba48d53dfb76d0218df8762010303fd6c49524eab335cb2ecb90bfaf693
SHA3-384 hash: c1c69b4165b62870c92ca52ede830cc9d7f621b5d5115fb68af185483b5c4745efd5ca39c44baf8cbf62d2842c6ceca8
SHA1 hash: d13e108bb643f0105d8d949c9479e7cd457caae4
MD5 hash: 4efbfead0eec8f4d29f6f08f6509bfda
humanhash: ink-freddie-hotel-dakota
File name:4efbfead0eec8f4d29f6f08f6509bfda.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:774'144 bytes
First seen:2021-08-17 09:22:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ec99d108fd03acbc59a2a6c0a950d47a (3 x TrickBot, 1 x Worm.Ramnit)
ssdeep 12288:weTBslq08I3L92xhqmqUVWFxjPd/jxEnU2vMQsK:5tI3L9WqdjPb67j
Threatray 959 similar samples on MalwareBazaar
TLSH T121F47C09B6BECC35C09A143F5FD25664626BAE025B25F58773872B8C8630B62B53731F
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4efbfead0eec8f4d29f6f08f6509bfda.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-17 09:28:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/59e134cf-412c-4711-aa6a-d0cf1edc07d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179912/
Detection(s):
SecuriteInfo.com.Trojan.Agent.FLOY.21872.24649.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db7676c1-08de-4057-a8b8-f6b7e0e57b5b
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834223
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466656 Sample: 1w8JEa5zZD.exe Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 3 other signatures 2->55 7 1w8JEa5zZD.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 59 Writes to foreign memory regions 7->59 61 Allocates memory in foreign processes 7->61 12 wermgr.exe 7->12         started        16 cmd.exe 7->16         started        18 conhost.exe 10->18         started        process5 dnsIp6 43 185.56.175.122, 443, 49713, 49721 VIRTUAOPERATOR-ASPL Poland 12->43 45 5.152.175.57, 443, 49722, 49752 SKYLOGIC-ASIT Spain 12->45 47 9 other IPs or domains 12->47 63 Hijacks the control flow in another process 12->63 65 May check the online IP address of the machine 12->65 67 Writes to foreign memory regions 12->67 69 2 other signatures 12->69 20 svchost.exe 11 12->20         started        25 svchost.exe 12->25         started        27 svchost.exe 12->27         started        signatures7 process8 dnsIp9 37 103.148.201.66, 443, 49745 WORTEL-AS-IDPTWortelID unknown 20->37 39 186.101.84.222, 443, 49747 TelconetSAEC Ecuador 20->39 41 8 other IPs or domains 20->41 29 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 20->29 dropped 31 C:\Users\user\AppData\...\Login Data.bak, SQLite 20->31 dropped 33 C:\Users\user\AppData\Local\...\History.bak, SQLite 20->33 dropped 35 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 20->35 dropped 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 file10 signatures11
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/03ff8ba48d53dfb76d0218df8762010303fd6c49524eab335cb2ecb90bfaf693/
Threat name:
Win32.Infostealer.Trickster
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 07:36:29 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ap7yxjenkpp3o3icddpyoyqbamb723cjkjhkwm24wlwlsc7262jq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0add7ef3e57fd9a619be1befd6df759a53b53952c4c2b4a10facdddedcc5174c
TrickBot
145922b0a4d90db4438ca924535a6f058472744a29b3a4f2875846a84bd41b99
TrickBot
367cd9c4f987db35c45539316388a22110adff7b0d0e51f63ceb4034a0037bfb
TrickBot
58eb3b6a9dd371f2b5c39166f7f52d0fdaa6ec8a32962221cf4f44a47c3e67e7
TrickBot
892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942
TrickBot
+ 949 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:top115 banker trojan
Link:
https://tria.ge/reports/210817-bbap8k8676/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
b30647d36a75666d5142a875e3d5d5175cb8feefcc685b46984419b2e18cfbae
MD5 hash:
2585bb23fc85fb23e367cbbeab3e6415
SHA1 hash:
b539c5dd4709bf6886454bacf43761b76a9b13d8
Link:
https://www.unpac.me/results/c49228c6-34f5-4fa7-bb92-ad97463f4df0/
SH256 hash:
052768f762a74dfba8f86244f0964f1fbe56b70420f23713232d02b00fecf2f0
MD5 hash:
bf32eef67f44e8788adc0c12b849fa54
SHA1 hash:
90fac4ff6a18100a4d235319a5d4e88689f6ffc0
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c49228c6-34f5-4fa7-bb92-ad97463f4df0/
Parent samples :
0693dc7093f73fb893ec946c5311157f6d88d943ad142bf5e7cfae61d197447a
03ff8ba48d53dfb76d0218df8762010303fd6c49524eab335cb2ecb90bfaf693
a36663051732f55a2234bd46bd8d0cda539be2bf2aad3a0e1b27be1686046127
ddc2c78d6f8510947bef12901b68da4f595e0733d9bc82434791d293cdc9e168
SH256 hash:
3c1dccdfa240b2fb12f5ff14acc26f9a64b504e6cac4735d9a1718ce65ade5b3
MD5 hash:
f1fd1a1426a36f1ab76c2a32d239b417
SHA1 hash:
0355fa18b1124a325b335e7fefa6e0130d3b1cff
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c49228c6-34f5-4fa7-bb92-ad97463f4df0/
SH256 hash:
03ff8ba48d53dfb76d0218df8762010303fd6c49524eab335cb2ecb90bfaf693
MD5 hash:
4efbfead0eec8f4d29f6f08f6509bfda
SHA1 hash:
d13e108bb643f0105d8d949c9479e7cd457caae4
Link:
https://www.unpac.me/results/c49228c6-34f5-4fa7-bb92-ad97463f4df0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/03ff8ba48d53dfb76d0218df8762010303fd6c49524eab335cb2ecb90bfaf693

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 03ff8ba48d53dfb76d0218df8762010303fd6c49524eab335cb2ecb90bfaf693

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1540855/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/179912/

Comments